The server needs to know which browser made the request, and the only way it can do that is by getting some unique identifier from the browser. That identifier can be:
1. A cookie (GET or POST)
2. A CGI QueryString (GET)
3. A hidden form variable (POST)
Once the session is established between IIS and the browser, there's more than one way to store the session info on the server-side, MS-SQL being one of them. (I'm intrigued by your recent project to configure MS-SQL as a session storage vehicle—I'd like to do that someday.)
How a given session is stored/managed on the server is a different issue from the means of determining which requesting browser belongs to which session.
>Actually, now that I think about it a little more, I don't know why it would necessarily *have* to use a cookie when you are using SQL Server. The web server knows about the fact that you are using SQL Server, as you need to include the SessionState mode in your web.config.
>
>Are you sure about this?
>
>~~Bonnie